7 Mandatory Breach Reporting Requirements and Examples — Ontario

THERE ARE 7 SITUATIONS WHERE YOU MUST NOTIFY THE ONTARIO PRIVACY COMMISSIONER OF A PRIVACY BREACH

Use or disclosure without authority : Looking at a family member, a celebrity, a politician records out of curiosity or for a malicious intent. Limited exceptions: accessing a record by mistake, or mailing a letter to the wrong address.

Stolen Information: Laptop, Tablet, or paper theft or loss. In addition to being subject to malware or ransomware.

Extended Use or Disclosure: Following a reported breach, a sales company used records to market its products or services.

Pattern or Similar Breaches: Letters are being sent to the wrong address, employees are repeatedly accessing a patient’s record.

Disciplinary action against a college member: A college member resigns, is suspended, or has their licenses revoked following or combined with a breach.

Disciplinary action against a non college member: Resignation, Suspension, or firing of an employee following or during a breach.

Significant Breach: the information is sensitive, large volume , large number of affected individuals, and more than one custodian or agent is involved.

Custodians will be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019.